2 signs DHS is turning the corner on cybersecurity

By William Jackson

Nov 29, 2011

The appointment of Mark Weatherford to a lead cybersecurity role in the Homeland Security Department is part of a trend that is transforming federal IT security from a paperwork exercise to effective defense of government systems, says long-time observer Alan Paller.

Weatherford, who became DHS’ first deputy undersecretary for cyber security on Nov. 21, is the first technologist with hands-on cybersecurity experience in government and the private sector in a DHS cybersecurity post, said Paller, director of research at the SANS Institute.

“Mark has been very good at hiring technology people in other jobs, and I think he’ll be able to do it here,” he said. “I believe that this is the first day of the rest of life at DHS.”

The appointment comes as DHS’ role in enforcing the Federal Information Security Management Act is being clarified and strengthened, and FISMA is shifting from a periodic assessment and certification of information systems to a continuous monitoring of security status.

“Now they have to implement the second half,” Paller said, which is to use the information gathered from monitoring systems to correct security problems.

FISMA has long been criticized as a paperwork exercise rather than the foundation for a effective security programs, and DHS’s role in enforcing FISMA requirements has been problematical. Instructions for fiscal 2011 FISMA reporting to Congress say specifically that that DHS has operational responsibility for cybersecurity in executive branch agencies. But that assurance comes in a memo from the Office of Management and Budget, which has historically overseen FISMA compliance by virtue of its budget authority. Several bills before Congress would give DHS statutory authority for FISMA, but until one of them becomes law the department relies on authority delegated from OMB.

One of the most significant uses of that authority was the department’s determination that continuous monitoring of the security status of IT systems not only is required under FISMA, but that it also takes the place of the authorization required every three years under original FISMA guidance. OMB made this explicit in its 2011 instructions.

“Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs,” the instructions say. “Continuous monitoring programs thus fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary.”

This requirement for continuous monitoring of systems is the greatest change in FISMA since it was enacted in 2002. Although the act has not been amended, the National Institute of Standards and Technology, which is charged with developing technical standards and specifications for compliance, has shifted its guidance from periodic assessments to continuous monitoring.

A handful of agencies, led by the State Department, have implemented programs to continuously monitor and update systems. Paller said he believes this will become the norm within a year, as budgets and tools become readily available for this.

“Technology adoption doesn’t happen lineally, it happens almost all at once,” he said. “We are within five or 10 months of everyone saying, ‘We were always going to do that’.”

The position of deputy under secretary for cyber security, in the National Protection and Programs Directorate at DHS, was created in September and Weatherford was named to it in October. Greg Schaffer, assistant secretary for cybersecurity and communications, had been acting in that position.

Weatherford came to DHS from the North American Electric Reliability Corp., where he directed the critical infrastructure and cybersecurity program for the nation’s power transmission systems. He left his position as California’s chief information security officer in July 2010 to join NERC, and prior to that had been Colorado’s CISO. He also is a former Navy cryptologic officer and led the Navy’s computer network defense operations and its Computer Incident Response Team.

inside gcn

Reader Comments

Mon, Dec 12, 2011
Karen
Washington, DC

I could not agree more with what Jack just said. There's really nothing new about continuous monitoring - the new developments focus more on continuous reporting. And this is also not very accurate: "This requirement for continuous monitoring of systems is the greatest change in FISMA since it was enacted in 2002." Ongoing vulnerability scanning and annual assessments have always been required; the newer requirements have just made them less of a joke. Now, instead of doing their own paperwork checklist once a year and then doing an independent C&A every 3, agencies are hiring consultants to do 1/3 of their C&A testing every year, to contribute towards the overall security authorization. Controls are STILL only tested once every three years. People aren't freaking out because of new security requirements; they're freaking out because now they have to report what they're doing - which, sadly, is typically nothing.

Wed, Nov 30, 2011
Jack

This is a false statement:
"the National Institute of Standards and Technology, which is charged with developing technical standards and specifications for compliance, has shifted its guidance from periodic assessments to continuous monitoring."
NIST has always stated continuous monitoring is part of any security program throughout the history of the NIST Risk management framework. OMB is the one who put maximum time frames on re-authorization, assessments and the like because they had to or Agencies wouldn't do anything. "Where does it say we HAVE TO DO THIS?" Unless you force an Agency to to something explicit in writing they won't. Replacing the re-authorization with "continuous monitoring" is fine but doesn't change anything about NIST's approach. It changes OMB A-130. Again, read 800-53, 800-37, and 800-137. Read the older versions. You'll find NIST has always stated the Agency is responsible for selecting the appropriate subset of controls for enhanced monitoring and assessment. Agencies didn't understand how to do this and/or wouldn't do this because it wasn't explicit enough where you could point to a circular which said "every three years thou shalt X"

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.